Source address validation (was Re: UUNet Offer New Protection Against DDoS)

Mailman List Mirror (Read Only)
1

...
buying screen doors for igloos may not be the best use of resources. uRPF
doesn't actually prevent any attacks.

actually, it would. universal uRPF would stop some attacks, and it would
remove a "plan B" option for some attack-flowcharts. i would *much* rather
play defense without facing this latent weapon available to the offense.

Would you rather ISPs spend money to
  1. Deploying S-BGP?
  2. Deploying uRPF?
  3. Respond to incident reports?

"yes."

and i can remember being sick and tired of competing (on price, no less)
against providers who couldn't/wouldn't do #2 or #3. i'm out of the isp
business at the moment, but the "race to the bottom" mentality is still
a pain in my hindquarters, both present and remembered.

2

actually, it would. universal uRPF would stop some attacks, and it would
remove a "plan B" option for some attack-flowcharts. i would *much* rather
play defense without facing this latent weapon available to the offense.

I'm agreeing here, okay (yet anoter) example.. smurf attacks. These seem to be
non-existent these days so shall we stop disabling 'ip directed-broadcast' on
our routers?

Steve

3

smurf attacks are far from 'non-existent' today, however they are not as
popular as in 1999-2000-2001. In fact netscan.org still shows almost 9k
networks that are 'broken'.

4

A few of us tried (like netscan, only more agressively on a weekly
basis) to find and try to get closed, smurf amplifiers in the RIPE
region.
We eventually gave up after closing ~20k, when the last few k refused to
do anything at all.
"My network is just a /30! Who cares, you're only getting TWO replies
back for ONE packet, it's not like the big amplifiers! I'm not going to
fix this!".

To anyone with this attitude: You are an idiot.

5

smurf attacks are far from 'non-existent' today, however they are not as
popular as in 1999-2000-2001.

thats interesting, i've not seen/heard of one for ages.. (guess u have a wider
testing ground :slight_smile:

In fact netscan.org still shows almost 9k networks that are 'broken'.

actually i just ran that file thro a quick awk and sort to see to what extent
these networks exist..

as you can see almost all only reply two or three times, not like in the old
days with >100 replies being commonplace..

5224 2
1834 3
897 4
334 5
167 6
  56 7
  19 8
  15 9
   7 10
  11 11
   6 12
   3 13
   6 14
   1 15
   1 16
   4 17
   5 18
   1 23
   1 26
   1 28
   1 100

6

removed paul from the direct reply since his mailserver doesn't like uunet
mail servers :slight_smile:

> smurf attacks are far from 'non-existent' today, however they are not as
> popular as in 1999-2000-2001.

thats interesting, i've not seen/heard of one for ages.. (guess u have a wider
testing ground :slight_smile:

just last week we had one... they do still happen.

> In fact netscan.org still shows almost 9k networks that are 'broken'.

actually i just ran that file thro a quick awk and sort to see to what extent
these networks exist..

as you can see almost all only reply two or three times, not like in the old
days with >100 replies being commonplace..

Sure, but a list of 9k networks with this leve of response is still enough
to do damage. It's getting better, no doubt about it but it's still a
factor.

--Chris
(formerly chris@uu.net)